Advanced Threat Detection and Internet of Everything

Available Languages

Download Options

The coming Internet of Everything (IoE) will add thousands if not millions of sensors, devices, and automated systems to enterprise networks. However, most of these endpoints will not support security capabilities, making them useful to hackers as a way to access and attack the connected network.

This IoE security challenge is reflected in two critical questions for information security departments:

●How can we protect our network, data, and applications from threats that could come from millions of endpoints, most of which can’t be secured?

●How will we be able to analyze the huge volume of status and operational data generated by IoE devices for potential attacks and risks?

“Security managers will need the ability to leverage IoE data not only to identify specific threats, but also to learn about what types of traffic or activity represent an actual risk,” says Logan Wilkins, program manager, Cisco InfoSec.

Building a Security Data Infrastructure

For Cisco IT, answering the questions about IoE security means first looking to the network level, which is the best place for getting security-related information and where security measures can have the most effect.

To gather IoE security information within Cisco, we are deploying a system to collect network traffic data that reaches a volume of billions of records per day. The initial focus of the system is Domain Name System (DNS) data, which as of mid-2015 means collecting up to three billion events daily, even before we’ve started to deploy massive numbers of IoE sensors. We started with DNS data because of these factors:

●The volume is large enough to validate that our data collection and processing systems will be adequate to handle the higher data volumes generated by IoE elements.

●DNS records provide an easy, fast way to find many security problems.

●DNS also provides an important foundation for deeper analysis into other protocols that may be involved in a breach or attack.

In the future, we plan to expand data collection to include NetFlow, which will help us automatically detect and handle more security threats.

Machine Learning for Data Filtering and Correlation

To make all of this information useful to Cisco® security teams, we are applying machine learning technology. Sophisticated learning algorithms classify and correlate the data to identify unusual events, outlier values, and unexpected behaviors. Examples of how we will apply machine learning to IoE security data include:

●Using advanced learning algorithms to recognize with a high degree of confidence those external hosts that are likely to have malicious intent.

●Analyzing the behavior of hosts and devices on our network to discern unusual activity that would indicate malware or unauthorized control of the device.

Security Data System Deployment

Cisco IT tested the new security data system in a proof-of-concept project that included the following elements:

We know that defending the Cisco network as it connects more IoE sensors and devices will require the ability to quickly identify new threats. That’s why we’re focusing on two critical capabilities in the security data infrastructure: scalability and automation.

Scalability to Handle Huge Data Volumes

Scalability is first about handling an enormous and ever-growing volume of network data. “If we have the infrastructure to handle billions of events today, then we can be confident about handling the even higher volumes of data that come with IoE,” says Jeff Bollinger, senior investigator, Cisco InfoSec.

We also want a scalable infrastructure design that will allow us to collect and process log data from other IoE monitoring programs as well as data from sources outside the network.

Automated, Intelligent Event Processing

Continual improvement in the machine learning capabilities will allow our automated event processing to become more intelligent over time. Increasing automation will also reduce the number of events that will need to be evaluated by a Cisco security analyst, even as IoE brings more data and new threats.

However, “There will always be a place for human analysis because we can’t know for sure in some situations whether something is really bad or not, so we can’t set up all events for automated handling,” says Bollinger. “We need the knowledge of our security analysts to identify which events indicate a false positive and which indicate a true problem.”

This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.

CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.